Emotet Uses Domain Hijacking to Trick DMARC

Delaware, USA – October 29, 2018 — Emotet malware operators have found a way to bypass anti-spoofing protection by domain hijacking. Cybercriminals behind this ex-trojan continually modify the delivery mechanism, as they use a ready-made infrastructure to distribute the malware of other threat actors such as Trickbot, Zeus Panda and IceID. Earlier this month, the adversaries added new features that make malware more stealthy, and now they take into account US-CERT’s warning, which recommends enabling the Domain-based message authentication, Reporting and Conformance (DMARC) mechanism for evaluating the authenticity of emails.

One of the functions of Emotet after infection of a system is the sending of malicious emails to spread the infection further. To do this, the malware connects to the command and control server and downloads the list of email addresses, the contents of the email and an email address to spoof as the sender. DMARC protects organizations and filters emails from untrusted addresses. To verify the authenticity of an email, the DomainKeys Identified Mail technology is used, which forces the mail server to connect to the sender’s domain and obtain the necessary key. Emotet operators hijack domains and create _domainkey subdomains so that spam emails bypass DMARC and infect organizations more efficiently.

Emotet malware today is one of the most efficient tools for infecting systems running Windows and its indicators of compromise experience changes daily. You can detect Emotet malware using updated SIEM rules: https://tdm.socprime.com/tdm/info/1279/

You can also use Windows Security Monitor rule pack to uncover suspicious operations in your corporate network: https://my.socprime.com/en/integrations/windows-security-monitor-arcsight